summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-14net/sched: act_csum: don't mangle UDP tunnel GSO packetsAlice Mikityanska
Similar to commit add641e7dee3 ("sched: act_csum: don't mangle TCP and UDP GSO packets"), UDP tunnel GSO packets going through act_csum shouldn't have their checksum calculated at this point, because it will be done after segmentation. Setting the checksum in act_csum modifies skb->ip_summed and prevents inner IP csum offload from kicking in, resulting in a packet with a bad checksum. Add UDP tunnel GSO packets to the exceptions, and also add UDP GSO (SKB_GSO_UDP_L4), as the same logic as in the commit mentioned above applies to UDP GSO too. Signed-off-by: Alice Mikityanska <alice@isovalent.com> Reviewed-by: Davide Caratti <dcaratti@redhat.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20260611192955.604661-2-alice.kernel@fastmail.im Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-14Merge branch 'for-next/sysregs' into for-next/coreWill Deacon
* for-next/sysregs: arm64/sysreg: Add HDBSS related register information
2026-06-14Merge branch 'for-next/selftests' into for-next/coreWill Deacon
* for-next/selftests: kselftest/arm64: Add 2025 dpISA coverage to hwcaps kselftest/arm64: Add tests for POR_EL0 save/reset/restore kselftest/arm64: Move/add POE helpers to test_signals_utils.h kselftest/arm64: Add POE as a feature in the signal tests selftests/mm: Fix resv_sz when parsing arm64 signal frame
2026-06-14Merge branch 'for-next/perf' into for-next/coreWill Deacon
* for-next/perf: perf/arm-cmn: Fix DVM node events perf: qcom: Unify user-visible "Qualcomm" name MAINTAINERS: Update HiSilicon PMU driver maintainer to Yushan Wang
2026-06-14Merge branch 'for-next/mpam' into for-next/coreWill Deacon
* for-next/mpam: arm_mpam: Update architecture version check for MPAM MSC arm64: cpufeature: Add support for the MPAM v0.1 architecture version
2026-06-14Merge branch 'for-next/mm' into for-next/coreWill Deacon
* for-next/mm: (24 commits) Revert "arm64: mm: Unmap kernel data/bss entirely from the linear map" Revert "arm64: mm: Defer remap of linear alias of data/bss" arm64/mm: Rename ptdesc_t arm64: mm: Defer remap of linear alias of data/bss KVM: arm64: Omit tag sync on stage-2 mappings of the zero page arm64: Avoid double evaluation of __ptep_get() kasan: Move generic KASAN page tables out of BSS too arm64: Rename page table BSS section to .bss..pgtbl arm64: mm: Unmap kernel data/bss entirely from the linear map arm64: mm: Map the kernel data/bss read-only in the linear map mm: Make empty_zero_page[] const sh: Drop cache flush of the zero page at boot powerpc/code-patching: Avoid r/w mapping of the zero page arm64: mm: Don't abuse memblock NOMAP to check for overlaps arm64: Move fixmap and kasan page tables to end of kernel image arm64: mm: Permit contiguous attribute for preliminary mappings arm64: kfence: Avoid NOMAP tricks when mapping the early pool arm64: mm: Permit contiguous descriptors to be manipulated arm64: mm: Preserve non-contiguous descriptors when mapping DRAM arm64: mm: Preserve existing table mappings when mapping DRAM ...
2026-06-14Merge branch 'for-next/misc' into for-next/coreWill Deacon
* for-next/misc: arm64: arch_timer: reuse arch_timer_read_cnt{p,v}ct_el0() helpers arm64: patching: replace min_t with min in __text_poke ARM64: remove unnecessary architecture-specific <asm/device.h> arm64: Implement _THIS_IP_ using inline asm arm64: panic from init_IRQ if IRQ handler stacks cannot be allocated arm64: smp: Do not mark secondary CPUs possible under nosmp arm64/daifflags: Make local_daif_*() helpers __always_inline
2026-06-14Merge branch 'for-next/fpsimd-cleanups' into for-next/coreWill Deacon
* for-next/fpsimd-cleanups: arm64: fpsimd: Remove <asm/fpsimdmacros.h> arm64: fpsimd: Move SME save/restore inline arm64: fpsimd: Move sve_flush_live() inline arm64: fpsimd: Move SVE save/restore inline arm64: fpsimd: Use opaque type for SME state arm64: fpsimd: Use opaque type for SVE state arm64: fpsimd: Move fpsimd save/restore inline arm64: fpsimd: Split FPSR/FPCR from SVE save/restore arm64: sysreg: Add FPCR and FPSR arm64: fpsimd: Move sve_get_vl() and sme_get_vl() inline arm64: fpsimd: Use assembler for baseline SME instructions arm64: fpsimd: Use assembler for SVE instructions arm64: fpsimd: Remove sve_set_vq() and sme_set_vq() arm64: fpsimd: Fold sve_init_regs() into do_sve_acc() KVM: arm64: pkvm: Remove struct cpu_sve_state KVM: arm64: pkvm: Save host FPMR in host cpu context KVM: arm64: Don't override FFR save/restore argument KVM: arm64: Don't include <asm/fpsimdmacros.h> arm64: fpsimd: Fix type mismatch in sme_{save,load}_state() arm64: fpsimd: Fix type mismatch in sve_{save,load}_state()
2026-06-14Merge branch 'for-next/errata' into for-next/coreWill Deacon
* for-next/errata: arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU arm64: errata: Mitigate TLBI errata on various Arm CPUs arm64: cputype: Add C1-Premium definitions arm64: cputype: Add C1-Ultra definitions arm64: kernel: Disable CNP on HiSilicon HIP09 arm64: cpufeature: Add WORKAROUND_DISABLE_CNP capability arm64: proton-pack: use sysfs_emit in sysfs show functions arm64: errata: Reformat table for IDs
2026-06-14Merge branch 'for-next/cpufeature' into for-next/coreWill Deacon
* for-next/cpufeature: arm64: Document SVE constraints on new hwcaps arm64/cpufeature: Define hwcaps for 2025 dpISA features
2026-06-14netfilter: nf_dup_netdev: add nf_dev_xmit_recursion*() helpers and use themPablo Neira Ayuso
Update nft_dup and nft_fwd to use the nf_dev_xmit_recursion() helpers. This patch also disables BH when transmitting the skb to address a possible migration to different CPU leading to imbalanced decrementation of the recursion counters. This is modeled after Florian Westphal's dev_xmit_recursion*() API available since commit 97cdcf37b57e ("net: place xmit recursion in softnet data") according to its current state in the tree. Fixes: 1d47b55b36d2 ("netfilter: nft_fwd_netdev: use recursion counter in neigh egress path") Fixes: f37ad9127039 ("netfilter: nf_dup_netdev: Move the recursion counter struct netdev_xmit") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-14ipvs: fix doc syntax for conn_max sysctlJulian Anastasov
Fix the docutils error reported by kernel test robot for the new conn_max sysctl: Documentation/networking/ipvs-sysctl.rst:76: WARNING: Block quote ends without a blank line; unexpected unindent. [docutils] Documentation/networking/ipvs-sysctl.rst:76: ERROR: Unexpected section title or transition. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202606071851.Dc1H7hOO-lkp@intel.com/ Fixes: 4a15044a2b06 ("ipvs: add conn_max sysctl to limit connections") Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-14netfilter: flowtable: bail out if forward path cannot be discoveredPablo Neira Ayuso
If forward path discovery fails for any reason or netdevice is not registered for this flowtable, then bail out to classic forwarding path rather than providing incomplete forwarding path. Update the existing forward path parser functions to report an error so the flow_offload expressions gives up on setting up the flowtable entry. Link: https://sashiko.dev/#/patchset/20260607094954.48892-15-pablo%40netfilter.org?part=14 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-14netfilter: conntrack: check NULL when retrieving ct extensionPablo Neira Ayuso
nf_ct_ext_find() might return NULL if ct extension is not found. Add also the null checks to: - nfct_help() - nfct_help_data() - nfct_seqadj() - nfct_nat() This is defensive, for safety reasons. nf_ct_ext_find() used to return NULL if the extension is stale for unconfirmed conntracks if the genid validation fails. Skip NULL check in nf_nat_inet_fn() given this is valid to be NULL for non-initialized ct nat extensions. While at it, fetch ct helper area in nf_ct_expect_related_report() only once and pass it on to other ancilliary functions. Replace WARN_ON() by WARN_ON_ONCE() in nf_ct_unlink_expect_report(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-14netfilter: nf_conncount: gc and rcu fixesFlorian Westphal
Another drive-by AI review: 1) tree_gc_worker fails to wrap around after it can't find more pending work. Update data->gc_tree unconditionally. If its 0, start from the first pending tree (which can be 0). 2) tree_gc_worker() iterates the rbtree without lock. This is never safe. Move iteration under the spinlock. If this takes too long (resched needed), save key of next node, drop lock, resched, re-lock, then search for the key (node). In very rare cases this node might no longer exist, in that case we can just wait for next gc. 3) use disable_work_sync(), we don't want any restarts. 4) module exit function needs rcu_barrier before we zap the kmem cache. Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search") Closes: https://sashiko.dev/#/patchset/20260525182924.28456-1-fw%40strlen.de Assisted-by: Claude:claude-sonnet-4-6 Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-14netfilter: nf_conncount: add sequence counter to detect tree modificationsFlorian Westphal
There a two issues with traversal: 1. Key lookup (tree search) cannot detect concurrent modifications and may not find a result in case of parallel modification. 2. Worker does a lockless iteration. This is never safe. Add a sequence counter and re-do the lookup under lock in case the tree was modified / seqcount changed. gc_worker bugs are addressed in the next patch. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-14netfilter: nf_conncount: split count_tree_node rbtree walk into helperFlorian Westphal
Add find_tree_node() helper that fetches a matching rbtree node. This is used by followup patch to optionally search the tree again while preventing concurrent updates via tree lock. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-14netfilter: nf_conncount: use per nf_conncount_data spinlocksFlorian Westphal
This change replaces the rb_root with a new container structure. Instead of an array of locks shared by all nf_conncount_data objects, each tree gains its own dedicated lock. Downside: nf_conncount_data increases in size. Before this change: struct nf_conncount_data { [..] /* --- cacheline 33 boundary (2112 bytes) was 16 bytes ago --- */ unsigned int gc_tree; /* 2128 4 */ /* size: 2136, cachelines: 34, members: 7 */ /* padding: 4 */ After: /* size: 4184, cachelines: 66, members: 7 */ /* padding: 4 */ On LOCKDEP enabled kernels, this is even worse: /* size: 18560, cachelines: 290, members: 7 */ (due to lockdep map in each spinlock). For this reason also switch to kvzalloc. The zeroing variant is needed to not start with random (heap memory content) in the ->pending_trees bitmap. Followup patch will add and use a sequence counter. Assisted-by: Claude:claude-sonnet-4-6 Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-14netfilter: nf_conncount: callers must hold rcu read lockFlorian Westphal
rcu_derefence_raw() should not have been used here, it concealed this bug. Its used because struct rb_node lacks __rcu annotated pointers, so plain rcu_derefence causes sparse warnings. The major tradeoff is that rcu_derefence_raw() doesn't warn when the caller isn't in a rcu read section. Extend the rcu read lock scope accordingly and cause sparse warnings, those warnings are the lesser evil. Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit") Closes: https://sashiko.dev/#/patchset/20260603230610.7900-1-fw%40strlen.de Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-14netfilter: nf_tables: use DEBUG_NET_WARN_ON_ONCE in packet and control pathsFernando Fernandez Mancera
Replace raw warning macros with DEBUG_NET_WARN_ON_ONCE across the nf_tables API, core engine, and expression evaluations. This prevents unnecessary system panics when panic_on_warn=1 is enabled in production systems. Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-14ipvs: Replace use of system_unbound_wq with system_dfl_long_wqMarco Crivellari
This patch continues the effort to refactor workqueue APIs, which has begun with the changes introducing new workqueues and a new alloc_workqueue flag: commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag") The point of the refactoring is to eventually alter the default behavior of workqueues to become unbound by default so that their workload placement is optimized by the scheduler. Before that to happen, workqueue users must be converted to the better named new workqueues with no intended behaviour changes: system_wq -> system_percpu_wq system_unbound_wq -> system_dfl_wq This way the old obsolete workqueues (system_wq, system_unbound_wq) can be removed in the future. This specific work is considered long, so enqueue it using system_dfl_long_wq instead of system_dfl_wq. Link: https://lore.kernel.org/all/20250221112003.1dSuoGyc@linutronix.de/ Suggested-by: Tejun Heo <tj@kernel.org> Signed-off-by: Marco Crivellari <marco.crivellari@suse.com> Acked-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-14batman-adv: tvlv: avoid race of cifsnotfound handler stateSven Eckelmann
TVLV handlers can have the flag BATADV_TVLV_HANDLER_OGM_CIFNOTFND set to signal that the OGM handler should be called (with NULL for data) when the specific TVLV container was not found in the OGM. This is used by: * DAT * GW * Multicast (OGM + Tracker) The state whether the handler was executed was stored in the struct batadv_tvlv_handler. But the TVLV processing is started without any lock. Multiple parallel contexts processing TVLVs would therefore overwrite each others BATADV_TVLV_HANDLER_OGM_CALLED flag in the shared batadv_tvlv_handler. Drop the shared BATADV_TVLV_HANDLER_OGM_CALLED flag and instead determine, per TVLV buffer, whether a matching container was present by scanning the packet's buffer. Cc: stable@kernel.org Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure") Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-14ALSA: seq: avoid stale FIFO cells during resizeCen Zhang
snd_seq_fifo_resize() still needs to publish the replacement pool before it waits for FIFO users. A blocking snd_seq_read() holds f->use_lock while it sleeps, so concurrent senders must be able to queue to the new pool and wake that reader instead of failing against a closing old pool. However, snd_seq_fifo_event_in() duplicates an event before it takes f->lock, and snd_seq_read() can dequeue a cell and later call snd_seq_fifo_cell_putback() if copy_to_user() or snd_seq_expand_var_event() fails. If resize swaps f->pool and detaches oldhead in between, either path can relink an old-pool cell after the snapshot. That stale cell sits outside the drained oldhead list, keeps oldpool->counter elevated, and can leave snd_seq_pool_delete() waiting for the retired pool to drain. Keep the existing swap-before-wait ordering in snd_seq_fifo_resize(), but reject stale cells before any FIFO relink. Revalidate event-in cells under f->lock and retry them against the published replacement pool, and free stale putback cells instead of linking them back into the FIFO. The buggy scenario involves two paths, with each column showing the order within that path: resize path: relink path: 1. Allocate newpool. 1. Take f->use_lock. 2. Swap f->pool to newpool and 2. Duplicate or dequeue an old-pool detach oldhead. cell before oldpool closes. 3. Mark oldpool closing and 3. Reach a later relink point after wait for FIFO users. resize published newpool. 4. Free oldhead and delete 4. Relink the old-pool cell after oldpool. resize detached oldhead. 5. Drop f->use_lock. The reproducer reports a resize ioctl blocked in the expected pool teardown path: signal: resize iteration=98 target_pool=4 exceeded 250ms (elapsed=251ms) diagnostic: resize_tid=651 wchan=snd_seq_pool_done diagnostic: resize_tid=651 stack= snd_seq_pool_done+0x5b/0x140 snd_seq_pool_delete+0x7a/0x90 snd_seq_fifo_resize+0x193/0x1e0 snd_seq_ioctl_set_client_pool+0x214/0x260 snd_seq_ioctl+0x119/0x540 __x64_sys_ioctl+0xd1/0x120 do_syscall_64+0xbb/0x2f0 entry_SYSCALL_64_after_hwframe+0x77/0x7f A second run with larger pools hit the same target path: signal: resize iteration=32 target_pool=64 exceeded 250ms (elapsed=251ms) diagnostic: resize_tid=663 wchan=snd_seq_pool_done diagnostic: resize_tid=663 stack= snd_seq_pool_done+0x5b/0x140 snd_seq_pool_delete+0x7a/0x90 snd_seq_fifo_resize+0x193/0x1e0 snd_seq_ioctl_set_client_pool+0x214/0x260 snd_seq_ioctl+0x119/0x540 __x64_sys_ioctl+0xd1/0x120 do_syscall_64+0xbb/0x2f0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 2d7d54002e39 ("ALSA: seq: Fix race during FIFO resize") Signed-off-by: Cen Zhang <zzzccc427@gmail.com> Link: https://patch.msgid.link/20260614004801.3507773-2-zzzccc427@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-14batman-adv: tvlv: enforce 2-byte alignmentSven Eckelmann
The fields of an aggregated OGM(v2) are accessed assuming (at least) 2-byte alignment, so a following OGM must start at an even offset. As the header length is even, an odd tvlv_len would misalign it and trigger unaligned accesses on strict-alignment architectures. Such a misaligned TVLV/OGM/OGMv2 is not created by a normal participant in the mesh. Therefore, reject such malformed packets. Cc: stable@kernel.org Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure") Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-14ALSA: seq: oss: Serialize readq reset state with q->lockCen Zhang
snd_seq_oss_readq_clear() resets qlen, head, and tail without q->lock even though the normal reader and producer paths serialize the same ring state under that spinlock. A reset can therefore race snd_seq_oss_readq_free() or snd_seq_oss_readq_put_event() and leave stale records in the queue, drop freshly queued ones, or report the wrong readiness after wakeup. KCSAN reports a data race between snd_seq_oss_readq_clear() and snd_seq_oss_readq_free(). Take q->lock while clearing the ring and resetting input_time. Factor the enqueue logic into a caller-locked helper so snd_seq_oss_readq_put_timestamp() updates its suppression state under the same lock instead of racing the reset path. The buggy scenario involves two paths, with each column showing the order within that path: reset path: locked readq updater: 1. snd_seq_oss_reset() or 1. A reader or callback producer release reaches takes q->lock on the same queue. snd_seq_oss_readq_clear(). 2. snd_seq_oss_readq_clear() 2. The updater tests or modifies resets qlen, head, tail, qlen, head, and tail. and input_time. 3. snd_seq_oss_readq_clear() 3. The updater completes its wakes sleepers on read-modify-write sequence. q->midi_sleep. 4. Without q->lock, the reset 4. The resulting ring state drives can overlap the locked later reads and readiness. update. KCSAN reports: BUG: KCSAN: data-race in snd_seq_oss_readq_clear / snd_seq_oss_readq_free write to 0xffff8881069fe608 of 4 bytes by task 120516 on cpu 0: snd_seq_oss_readq_free+0x6c/0x80 snd_seq_oss_read+0xcb/0x250 odev_read+0x38/0x60 vfs_read+0xff/0x600 ksys_read+0xb4/0x140 __x64_sys_read+0x46/0x60 do_syscall_64+0xbb/0x2f0 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff8881069fe608 of 4 bytes by task 120517 on cpu 1: snd_seq_oss_readq_clear+0x1f/0x90 snd_seq_oss_reset+0xa7/0xf0 snd_seq_oss_ioctl+0x6f6/0x7e0 odev_ioctl+0x56/0xc0 __x64_sys_ioctl+0xd1/0x120 do_syscall_64+0xbb/0x2f0 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x00000001 -> 0x00000000 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Cen Zhang <zzzccc427@gmail.com> Link: https://patch.msgid.link/20260614004801.3507773-1-zzzccc427@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
2026-06-14kcm: use WRITE_ONCE() when changing lower socket callbacksRunyu Xiao
kcm_attach() replaces a live lower TCP socket's sk_data_ready and sk_write_space callbacks with KCM handlers, and kcm_unattach() restores them later. Those callback-pointer updates are still plain stores even though the same fields can be read and invoked concurrently on other CPUs. If another CPU observes an older callback snapshot after the live field has already been restored, callback execution can run with a mismatched target and sk_user_data state, leading to stale or misdirected wakeups. Use WRITE_ONCE() for the callback replacement and restore operations so these shared callback fields follow the same visibility contract already established by the earlier 4022 fixes. Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn> Link: https://patch.msgid.link/20260611053543.2429462-1-runyu.xiao@seu.edu.cn Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-14batman-adv: dat: prevent false sharing between VLANsSven Eckelmann
The local hash of DAT entries is supposed to be VLAN (VID) aware. But the adding to the hash and the search in the hash were not checking the VID information of the hash entries. The entries would therefore only be correctly separated when batadv_hash_dat() didn't select the same buckets for different VIDs. Cc: stable@kernel.org Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-14batman-adv: tt: track roam count per VIDSven Eckelmann
batadv_tt_check_roam_count() is supposed to track roaming of a TT entry. But TT entries are for a MAC + VID. The VID was completely missed and thus leads to incorrect detection of ROAM counts when a client MAC exists in multiple VLANs. Cc: stable@kernel.org Fixes: c018ad3de61a ("batman-adv: add the VLAN ID attribute to the TT entry") Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-14batman-adv: tt: don't merge change entries with different VIDsSven Eckelmann
batadv_tt_local_event() merges/cancels events for the same client which would conflict or be duplicates. The matching of the queued events only compares the MAC address - the VLAN ID stored in each event is ignored. If a MAC would now appear on multiple VID, the two ADD change events (for VID 1 and VID 2) would be merged to a single vid event. The remote can therefore not calculate the correct TT table and desync. A full translation table exchange is required to recover from this state. A check of VID is therefore necessary to avoid such wrong merges/cancels. Cc: stable@kernel.org Fixes: c018ad3de61a ("batman-adv: add the VLAN ID attribute to the TT entry") Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-14Merge tag 'iio-fixes-for-7.1b' of ↵Greg Kroah-Hartman
ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jic23/iio into char-misc-next IIO: 2nd set of fixes for the 7.1 cycle. Usual mixed bag of ancient issues and the recently introduced. Various drivers - Ensure use of simple_write_to_buffer() in debugfs callbacks doesn't result in reading off the end of intended data by checking the position is always 0. buffer/hw-consumer - Ensure scan_mask is freed on buffer release. acpi-als - Check ACPI_COMPANION() against NULL to close corner case where a driver is overridden. adi,ad4062 - Add GPIOLIB dependency to avoid undefined ref to gpiochip_get_data() adi.ad7768-1 - Add GPIOLIB dependency to avoid several undefined functions. adi,ad2s1210 - Ensure possible recovery path if a read fails in the interrupt handler. bosch,bmg160 - Increase sleep on startup to ensure device is ready. bosch,bmp280 - Ensure buffer pushed to kfifo is zeroed to avoid leaking uninitialized stack data to userspace. dyna-image,al3010 - Fix refactor that stopped reading one of the two measurement registers. dyna-image,al3320a - Fix refactor that stopped reading one of the two measurement registers. qcom,spmi-iadc - Ensure disable_irq_wake() is called on remove path. sensiron,scd30 - Fix a sign extension bug. st,vl5310x - Ensure possible recovery path if a read fails in the interrupt handler. ti,adc1298 - Bounds check for pga_settings index. Hardening against device returning unexpected values. ti,tmp006 - Ensure trigger correctly released on remove path. vishay,veml6030 - Fix incorrect channel type in events. vishay,veml6074 - Bounds check for veml6075_it_ms. Hardening against device returning unexpected values. * tag 'iio-fixes-for-7.1b' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jic23/iio: (23 commits) iio: adc: ad_sigma_delta: fix clear_pending_event for registerless devices iio: adc: ad_sigma_delta: fix CS held asserted and state leaks iio: light: opt3001: fix missing state reset on timeout iio: chemical: scd30: Cleanup initializations and fix sign-extension bug iio: core: fix uninitialized data in debugfs iio: backend: fix uninitialized data in debugfs iio: dac: ad3552r-hs: fix uninitialized data ni ad3552r_hs_write_data_source() iio: adc: qcom-spmi-iadc: balance enable_irq_wake() on driver unbind iio: light: al3320a: read both ALS ADC registers again iio: light: al3010: read both ALS ADC registers again iio: temperature: tmp006: use devm_iio_trigger_register iio: buffer: hw-consumer: free scan_mask on buffer release iio: adc: ad7768-1: Select GPIOLIB iio: light: veml6030: fix channel type when pushing events iio: light: acpi-als: Check ACPI_COMPANION() against NULL iio: resolver: ad2s1210: notify trigger and clear state on fault read error iio: proximity: vl53l0x: notify trigger and clear IRQ on error paths iio: gyro: bmg160: wait full startup time after mode change at probe iio: gyro: bmg160: bail out when bandwidth/filter is not in table iio: pressure: bmp280: zero-init bmp580 trigger handler buffer ...
2026-06-14riscv: kvm: Use endian-specific __lelong for NACL shared memorySean Chang
When compiling with sparse enabled (C=2), bitwise type warnings are triggered in the RISC-V KVM implementation. This occurs because the user-space data unboxing macro '__get_user_asm' performs implicit casting on restricted types without forcing the compiler's compliance. Additionally, raw 'unsigned long *' pointers are used to access the SBI NACL shared memory, whereas the RISC-V SBI specification mandates that these structures must follow little-endian byte ordering. Fix these by: 1. Adding a '__force' cast to '__get_user_asm()' to safely suppress implicit cast warnings during user-space data fetching. 2. Introducing the '__lelong' type macro, which dynamically resolves to '__le32' or '__le64' depending on XLEN, and replacing 'unsigned long *' with '__lelong *' to enforce proper compile-time endianness checks. Signed-off-by: Sean Chang <seanwascoding@gmail.com> Reviewed-by: Anup Patel <anup@brainfault.org> Link: https://lore.kernel.org/r/20260608155252.4292-1-seanwascoding@gmail.com Signed-off-by: Anup Patel <anup@brainfault.org>
2026-06-13apparmor: fix kernel-doc warningsRodrigo Zaiden
Fix two kernel-doc warnings: - non-kernel-doc comment marked with '/**' in af_unix.c - documented symbol name mismatch for aa_get_i_loaddata() in policy_unpack.h No functional changes. Signed-off-by: Rodrigo Zaiden <rodrigoffzz@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: replace get_zeroed_page() with kzalloc()Mike Rapoport (Microsoft)
multi_transaction_new() allocates memory with get_zeroed_page() and uses it as struct multi_transaction. The usage of that structure does not require struct page access and it is better to allocate multi_transaction objects with kzalloc() that provides better scalability and more debugging possibilities. Replace use of get_zeroed_page() with kzalloc(). Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com Reviewed-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13security: apparmor: fix two spelling mistakesQingshuang Fu
Fix two spelling errors in comment: - interated → interacted - dont → don't Signed-off-by: Qingshuang Fu <fuqingshuang@kylinos.cn> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: fix use-after-free in rawdata dedup loopRuslan Valiyev
aa_replace_profiles() walks ns->rawdata_list to dedup the incoming policy blob against entries already attached to existing profiles. Per the kernel-doc on struct aa_loaddata, list membership does not hold a reference: profiles hold pcount, and when the last pcount drops, do_ploaddata_rmfs() is queued on a workqueue that takes ns->lock and removes the entry. Between dropping the last pcount and the workqueue running, an entry remains on the list with pcount == 0. aa_get_profile_loaddata() is an unconditional kref_get() on pcount, so when the dedup loop hits such an entry, refcount hardening reports refcount_t: addition on 0; use-after-free. inside aa_replace_profiles(), and the poisoned counter then trips "saturated" and "underflow" warnings on the subsequent uses of the same loaddata. Before commit a0b7091c4de4 ("apparmor: fix race on rawdata dereference") the dedup path used a get_unless_zero-style helper on a single counter, so the existing "if (tmp)" guard was meaningful. The split-refcount refactor introduced aa_get_profile_loaddata(), which has plain kref_get() semantics, and the guard quietly became a no-op. Introduce aa_get_profile_loaddata_not0(), matching the existing _not0 convention used by aa_get_profile_not0(), and use it for the rawdata_list dedup lookup so dying entries are skipped. Reproduced on x86_64 with v7.1-rc5 in QEMU+KVM running Ubuntu 24.04 + stress-ng 0.17.06: stress-ng --apparmor 1 --klog-check --timeout 60s Without this patch the three refcount_t warnings fire within a few seconds. With it the same 60 s run is clean. Coverage is a smoke-test only; a longer soak with CONFIG_KASAN, CONFIG_KCSAN and CONFIG_PROVE_LOCKING would be welcome from anyone with the cycles. Fixes: a0b7091c4de4 ("apparmor: fix race on rawdata dereference") Reported-by: Colin Ian King <colin.i.king@gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221513 Cc: stable@vger.kernel.org Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: Fix inverted comparison in cache_hold_inc()Eduardo Vasconcelos
cache_hold_inc() prevents the per-CPU cache hold counter from rising above MAX_HOLD_COUNT, but the comparison is inverted (> MAX_HOLD_COUNT instead of <), so the counter never rises above 0. This breaks the cache mechanism because since the hold counter is always 0, the global pool is always attempted first before falling back to the local cache. The decrement also never occurs, thus the hold counter is effectively dead. Fix by changing > to < in cache_hold_inc(). Fixes: 0b6a6b72b329 ("apparmor: document the buffer hold, add an overflow guard") Signed-off-by: Eduardo Vasconcelos <eduardo@eduardovasconcelos.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: fix uninitialised pointer passed to audit_log_untrustedstring()Maciek Borzecki
Commit 4a134723f9f1 ("apparmor: move check for aa_null file to cover all cases") intrdouced a small bug, where path_name() may pass a potentially uninitialized *name to aa_audit_file() if the path->dentry had been replaced with aa_null.dentry earlier on. This can lead to page fault like one observed on 7.0.2 openSUSE Tumbleweed kernel: [51692.242756] [ T24690] BUG: unable to handle page fault for address: 0000000f00000003 [51692.242762] [ T24690] #PF: supervisor read access in kernel mode [51692.242763] [ T24690] #PF: error_code(0x0000) - not-present page [51692.242765] [ T24690] PGD 0 P4D 0 [51692.242768] [ T24690] Oops: Oops: 0000 [#1] SMP NOPTI [51692.242772] [ T24690] CPU: 3 UID: 1020 PID: 24690 Comm: snap-confine Tainted: G O 7.0.2-1-default #1 PREEMPT(full) openSUSE Tumbleweed ab90b4c9940707f9cafa19bdad80b2cec52dbe51 [51692.242775] [ T24690] Tainted: [O]=OOT_MODULE [51692.242777] [ T24690] Hardware name: Framework Laptop 13 (AMD Ryzen 7040Series)/FRANMDCP05, BIOS 03.18 01/08/2026 [51692.242778] [ T24690] RIP: 0010:strlen+0x4/0x30 [51692.242783] [ T24690] Code: f7 75 ec 31 c0 e9 17 9f 00 ff 48 89 f8 e9 0f 9f 00 ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <80> 3f 00 74 18 48 89 f8 0f 1f 40 00 48 83 c0 01 80 38 00 75 f7 48 [51692.242785] [ T24690] RSP: 0018:ffffd015eb1e3608 EFLAGS: 00010282 [51692.242787] [ T24690] RAX: 0000000000000000 RBX: ffff89796198a360 RCX: 0000000000000000 [51692.242788] [ T24690] RDX: 00000000000000d1 RSI: 0000000f00000003 RDI: 0000000f00000003 [51692.242790] [ T24690] RBP: ffffffffb7ede090 R08: 00000000000005f5 R09: 0000000000000000 [51692.242791] [ T24690] R10: 0000000000000000 R11: 0000000000000000 R12: ffffd015eb1e3700 [51692.242792] [ T24690] R13: ffff8977a22bc380 R14: ffffffffb7ec5190 R15: ffff8977a0c8aa80 [51692.242794] [ T24690] FS: 0000000000000000(0000) GS:ffff897f640d8000(0000) knlGS:0000000000000000 [51692.242796] [ T24690] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [51692.242797] [ T24690] CR2: 0000000f00000003 CR3: 00000006ad15f000 CR4: 0000000000f50ef0 [51692.242799] [ T24690] PKRU: 55555554 [51692.242800] [ T24690] Call Trace: [51692.242802] [ T24690] <TASK> [51692.242804] [ T24690] audit_log_untrustedstring+0x1d/0x40 [51692.242811] [ T24690] common_lsm_audit+0x71/0x1d0 [51692.242816] [ T24690] aa_audit+0x5a/0x170 [51692.242819] [ T24690] aa_audit_file+0x18a/0x1b0 [51692.242825] [ T24690] path_name+0xd2/0x100 [51692.242829] [ T24690] profile_path_perm.part.0+0x58/0xb0 [51692.242832] [ T24690] aa_path_perm+0xef/0x150 [51692.242837] [ T24690] apparmor_file_open+0x153/0x2e0 [51692.242840] [ T24690] security_file_open+0x46/0xd0 [51692.242844] [ T24690] do_dentry_open+0xe9/0x4d0 [51692.242848] [ T24690] vfs_open+0x30/0x100 While here, initialise variables which are passed down to path_name(). Fixes: 4a134723f9f1 ("apparmor: move check for aa_null file to cover all cases") Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: don't audit files pointing to aa_null.dentryGeorgia Garcia
In commit 4a134723f9f1 ("apparmor: move check for aa_null file to cover all cases") there was a change to not audit files pointing to aa_null.dentry because they provide no value, but setting the error variable instead of returning -EACCES was still causing them to be audited. Fixes: 4a134723f9f1 ("apparmor: move check for aa_null file to cover all cases") Acked-by: David Disseldorp <ddiss@suse.de> Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: put secmark label after secid lookupZygmunt Krynicki
apparmor_secmark_init() parses a configured secmark label to obtain its secid. aa_label_strn_parse() returns a refcounted label, but the success path kept that reference after copying the secid. Fixes: ab9f2115081a ("apparmor: Allow filtering based on secmark policy") Signed-off-by: Zygmunt Krynicki <me@zygoon.pl> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: aa_getprocattr free procattr leak on format failureZygmunt Krynicki
aa_getprocattr() allocates the output string before rendering the label into it. If the second aa_label_snxprint() call fails, the function returned without freeing that allocation. Free and clear the output pointer on the uncommon formatting failure path before dropping the namespace reference. Fixes: 76a1d263aba3 ("apparmor: switch getprocattr to using label_print fns()") Reviewed-by: Tyler Hicks <code@thicks.com> Reviewed-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: Zygmunt Krynicki <me@zygoon.pl> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: remove unnecessary goto and associated labelJohn Johansen
There is no need for a goto a label immediately following the conditional block when the jump is the last statement in the block. Fixes: 7306c41672487 ("apparmor: release exe file resources on path failure") Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: release exe file resources on path failureZygmunt Krynicki
get_current_exe_path() takes both an exe_file reference and a path reference before resolving the path name. If aa_path_name() failed, it returned immediately and leaked both references. Route the failure through the common cleanup path so fput() and path_put() always run after the references are acquired. Fixes: 8d34e16f7f2b ("apparmor: userns: Add support for execpath in userns") Reviewed-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: Zygmunt Krynicki <me@zygoon.pl> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: fail policy unpack on accept2 allocation failureZygmunt Krynicki
unpack_pdb() may need to allocate a missing ACCEPT2 table for older policy data. If that allocation failed, it set an error message but jumped to the success path, returning a policydb with the required table missing. Return -ENOMEM through the normal failure path when the ACCEPT2 allocation fails. Remove the now-unused out label. Fixes: 2e12c5f06017 ("apparmor: add additional flags to extended permission.") Reviewed-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: Zygmunt Krynicki <me@zygoon.pl> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: Fix return in ns_mkdir_opHongling Zeng
Return NULL instead of passing to ERR_PTR while error is zero. Fixes smatch warning: - security/apparmor/apparmorfs.c:1846 ns_mkdir_op() warn: passing zero to 'ERR_PTR' Fixes: 88d5baf69082 ("Change inode_operations.mkdir to return struct dentry *") Reviewed-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: remove or add symlinks to rawdata according to export_binaryGeorgia Garcia
When the export_binary parameter is set, then rawdata is available and there should be a symbolic link for the rawdata in the profile directory in apparmorfs. If the parameter is unset, then the symlinks should not exist. The issue arises when changing the value of export_binary on runtime and replacing profiles. If export_binary was set when the profile was originally loaded, then changed to 0 and the profile was reloaded, then the symbolic links would still exist but would return ENOENT because the rawdata no longer exists. On the opposite side, if export_binary was unset when the profile was originally loaded, then changed to 1 and the profile was reloaded, then the symbolic links would not exist, even though the rawdata does. Fixes: d61c57fde8191 ("apparmor: make export of raw binary profile to userspace optional") Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: fix NULL pointer dereference in unpack_pdbGeorgia Garcia
pdb->dfa could be NULL if unpack_dfa fails, causing a NULL pointer dereference. Fixes: 2e12c5f06017 ("apparmor: add additional flags to extended permission.") Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: make fn_label_build() capable of handling not supportedJohn Johansen
Currently fn_label_build() callback fns must provide a transition or failure. Change this so that a callback can indicate it should be skipped/not be involved in the label being built. This will be useful when building object labels based on mediation flags, as to whether the label should be set. Existing callers can keep treating NULL return as an error because none of those callback fns support skipping, but instead of the old error handling replace with AA_BUG. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: change fn_label_build() call to not return NULLJohn Johansen
Previously fn_label_build() was accepting a NULL which represented ENOMEM return and ERR_PTR for errors. Clean this up by requiring the cb fn to return an ERR_PTR or valid value. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: fix potential UAF in aa_replace_profilesMaxime Bélair
The function aa_replace_profiles was accessing udata->size after calling aa_put_loaddata(udata), causing a potential UAF. Fixed this by saving the size to a local variable before dropping the reference. Fixes: 5ac8c355ae001 ("apparmor: allow introspecting the loaded policy pre internal transform") Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: Maxime Bélair <maxime.belair@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-06-13apparmor: free rawdata as soon as possibleJohn Johansen
profiles can be pinned by file and other references, and can live long after they have been replaced/removed. The rawdata however is no longer needed, and can be freed earlier than the rest of the profile. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>